Still running with legacy join settings? Attackers love it. Learn the modern model: MAQ=0, OU-scoped delegation (not SeMachineAccountPrivilege), DC allow-list for account reuse, and a guarded Staging OU before production. Bonus: Offline Domain Join for segmented OT sites.